Sunday, October 20, 2013

Operating Systems as Potential Source of Digital Evidences


Performing a comprehensive digital forensic examination requires full understandings of computer operating system (OS). Operating system refers to “a program that manages all the applications in a computer” (University of Maryland University College, 2012). OS manages the hardware resources, enables executions of commands, acts as an interface between hard ware and software, controls the security of the system and allows sharing of resources and files in the network. The paper discusses different operating systems as a source of digital forensic evidences. Each section of digital evidence source discusses filing systems, tools and techniques helpful forensic examiners, and challenges faced by investigator. The final section provides comparisons of each source of evidence in terms of network intrusion, malware installation and Insider file deletion.
Digital Evidences in Windows

The following section discusses Windows Operating System (OS) as a source of data for digital forensic investigation. Over the past three decades Windows dominated the computer market with its applications in personal computers, Web browsers and big enterprise hardware and software. After its first release of Windows 1.0 in 1985, numerous different versions of Microsoft Windows have been developed, from older versions such as Windows 9x, NT, ME and 2000 to the new versions like Windows XP, Windows Vista, 7, Windows Server 2003 or 2008. The latest versions are widely used in home, corporate and government environment (Pittman & Shaver, 2009). Forensic examiner need to full understand Operating Systems (OS), file systems and various tools needed to conduct thorough forensic analysis.

FAT and NTFS file systems


Analyzing the file systems, examining how directories and folders are structured, and how data is stored in a computer hard drive helps the digital forensic examiner learn about the location of a certain file. The Windows operating system contains a number of locations that can act as a rich source of evidence. Windows operating systems utilizes four different types of file systems. These are FAT12, FAT16, FAT32, and NTFS ().In the FAT file system (File Allocation Table) data is stored in disks in cluster forms which are divided into multiple sectors. A cluster is composed of one or more sectors. And a sector is a minimum size that can be written to or read from a disc and is usually 512 bytes (University of Maryland University College, 2012). A variety of digital forensic tools help the investigator analyses the FAT to reveal the root directory, FAT folders and data clusters of a hard drive. Viewing the FAT, the investigator can identify a file in a folder, the cluster (s) it holds, and clusters a file starts and ends. FAT also helps the investigator identify the subdirectories that contain file information such as attributes, names, dates, sizes, and the first cluster of each file on the system. However, the FAT file system has some shortcomings such as inadequate security, lack of backup systems, and lesser storage and poor data management (Pittman & Shaver, 2009). As a result, modern Window systems are using NTFS, a more efficient file system.

NTFS (New Technology File System) is an alternate to FAT file systems. The current version of NTFS has been utilized in Windows XP and later OS releases. From the digital forensic perspective, understanding the difference between FAT and NTFS is very important in terms of following features: data storage, data security, file size and file naming convention (University of Maryland University College, 2012). NTFS uses a data structure called the Master File Table (MFT) instead of a file allocation table. MFT contains one record for all files on an NTFS volume, including one for itself, each with file identifier number (Casey, 2011).  This makes access and organization of data more efficient. Moreover, the MFT field also helps the forensic examiner in data backup and recovering deleting data. It also an improved security feature, an access control list (ACL) that governs read-write-execute access to Windows files and folders.

While FAT uses only end of file, EOF, markers to specify a file's size, NTFS uses EOF markers as well as Valid Data Length (VDL) to determine a file's logical size, the true length of the data as it’s stored in the hard disk.  As a result an uninitialized space is created where data can be stored. An investigator can recover the data in uninitialized space even if there have been attempts to delete the data. NTFS’ important characteristics, data backup and deleted-data recovery makes it a preferred file system in Windows OS for the examiner.

Windows Forensics Tools and Techniques


In order to extract evidences from windows file system, file-system traces have been widely used. Whenever a user initiates actions in a system, date-time stamps are placed on a file system. And file-system traces provide vital information by easily identifying those date-time stamps. Log files as part of the newest version of Windows provide useful forensic information. Log files associate the user with date, time and action in a system (user attribution). In addition to the windows file system traces and Log files various features of windows are utilized in recovering and analyses of forensic evidences. Tools from Microsoft itself (and third party tools) are used to decode password protected and encrypted files and recover data from suspect’s drive. The Windows Registry contains valuable information to the forensic investigator. The Registry provides various pieces of information relating to OS, installed applications, and user access information, their settings and the privileges the users have to the applications and networks (Mee, Tryfonas & Sutherland, 2006). A forensic program, REgGen, is used for the analyses of the registry files stored on windows devices.

Besides of using the features in Windows, various propriety and open source software tools are used for the collection and analyses of digital evidences on window-based systems. Helix runs on Windows as a standard application and used to collect digital evidences in live or active systems. Pstools suites provide a variety of detailed information of windows systems, remotely and locally. For instance, Pslist displays process, CPU, and memory information or thread statistics for all processes that are presently running on the system. While Psfile shows files opened remotely, PsLogList dump event log records.

Challenges in Windows Forensics


Forensic examiner faces several challenges in Windows environment. One of challenge will be the Encrypted File System (EFS), and products like Microsoft Passport assist in providing increased security for the Windows environment. However, they can make the job of the forensic analyst more difficult. Finding information from Windows file slack and Ram slack needs a lot of efforts by the examiner as they conceal vital evidences such as files, e-mail, user names and passwords (Wiles & Reyes, 2007). The absence of comprehensive single source for digital evidences from Window file systems to Internet Explorer is a great challenge for corporate investigators. As a result, they have to put back together information from different sources and apply UNIX techniques to the Windows environment

Digital Evidences in Macintosh


Apple’s Macintosh systems are not as popular as Windows systems in the forensic community. However, due to MacOS user friendliness and quick access to file and applications, the Macintosh systems are becoming widely used and needed the attention of forensic examiners.  Since its inception in 1984, various versions of Macintosh computer developed with its Mac OS X systems.

The File Systems in MacOS


Two types of hierarchal file systems (HFS) are used on MacOS, namely, HFS and HFS Plus (improved version). Unlike Windows OS which uses file allocation table, Mac uses catalog and overflow files. The catalog tree is a database of the folders and files on a Mac hard drive. The catalog files collect information such as date-time stamps (date of create, modified, accessed and backup) on each file and folder. The catalog file records are stored in a B-tree, a simple database for searches (Casey, 2011). While HFS supports 16-bit processing, the improved version HFS+ supports 32-bit processing. In addition, HF Plus applies journaling, helpful for fast recovery in case of power outage or a crash.

Mac Forensic Tools and Techniques


Various tools and techniques assist the forensic investigator in examining digital evidences in Mac. Mac File-system traces provides useful information in understanding date-stamp behavior on the MacOS 9 and MacOS X. Browsers such as Safari, Mozilla Firefox and Opera are used to trace network activities such as internet traces, Web activity, e-mail activities and network-storage information. Mac’s Web caches and plist are also helpful recovering information about users’ incoming and outgoing emails and accessed web servers.  Furthermore, tools like Norton utilities and Prosoft Data Rescue can be used to recover deleted files from Macs system (Kokocinski, A. (2009).

Forensic software, Macintosh Forensic Suite, with a collection of 26 modules, provides the investigator with various tools and utilities (Wiles & Reyes, 2007). For instance, one of the modules in the suite, Directory Scan utility allows the investigator to look all the files and folders on a Macintosh volume. Another tool in the suite, HeaderBuilder, makes changing headers easy and shows MD5 Hashes quickly. Another tool called PhantomSearch allows capturing all the invisible files of a volume.   

Challenges in Mac Forensics


One of the challenges in Mac digital evidence is creating a bitstream copy of a hard drive. One common approach of copying a hard drive from a mac system is to remove it and connect it to another computer. It’s also possible to boot Macintosh using CD-ROM booting. However, hard drives should be disconnected from the system first in order to avoid accidental alteration of date-time stamps (Kokocinski, 2009).  Another challenge in Mac is data recovery. Due to the complex nature of the b-tree structure of the catalog, deleted file names do not remain in the file system for long.as a result, it will be difficult to recover the file names and associated date-time stamps even using forensic tools like EnCase and FTK.  Tools like Norton utilities and Disk Warrior, or ProSoft Data Rescue are helpful in file recovery. Some files in MacOS are stored in binary format and difficult to read. For the Macintosh systems there is a need for more forensic examination and researches.

Digital Evidences in UNIX


UNIX started as a free OS in three decades ago. Different types of UNIX developed since then, both proprietary version (Sun Solaris, IBM’s AIX) and free versions (Linux, FreeBSD and OpenBSD). UNIX is so powerful that it allows access of several users and multiple programs simultaneously in one computer. Not only is an important sources of digital evidences, UNIX also an excellent plat form for forensic examination. Any digital forensics laboratory has at least one Linux environment either native or running through a virtual machine product such as VMware (Steel, 2006). In contrast to the GUI system found in Windows, UNIX uses command-line functions for execution of instructions.

File Systems in UNIX


The popular file systems are UFS (UNIX File System), Reiser, ext1, and ext2 (Extended File Systems 2and3). They have much simpler directories, containing only a list of file names and their associated inode (index node).  This simple file structure coupled with the command-line functions make it easier for the forensic examiners to trace the location of file names from the root directory to the inode and to individual data blocks or groups. The library card catalog is analogous to the UNIX file system (Atheide & Casey, 2009).

As in Windows, UNIX systems allow certain users root access, provided users (and examiner) have full administrative privileges. Understanding of file allocation and deletion in UNIX is very important for the examiner. Both the OS and the file system determine how files are deleted. In the case of ext2, when file is deleted the inode is returned to the free-inode list of the super block. Contents are not cleared. On the other hand, in ext3, first inode contents are cleared and then the inode is returned to the free-inode list. This makes file recovery easier in ext2 and more difficult in ext3.

Linux/Unix Forensic Techniques and Tools


Linux has several important features assisting digital acquisition and examinations. To make a bitstream copy of the source hard drive, examiners often use Helix, a freeware tool. The mainstay of acquiring digital evidence in UNIX is the use of the /dd command, to create a copy of a hard drive.

Data can be recovered using File Carving feature of UNIX, by carving files from any evidence object, unallocated space or a swap file. Another approach to recover deleted file is to search for inodes and recover the associated data using icat (Atheide & Casey, 2009). Reviewing log Files is so helpful in UNUX and provides important information such as commands used activities and system changes useful for reconstructing events and tracking down offenders. File system traces analyses is very useful as any activity can make an impression on UNIX system. For instance, remnants such as spool files from printing, temp files from applications, date-time stamp and user ids from other systems provide more picture of what is occurring in the system.

UNIX was specifically designed with networking in mind and Internet traces analyses are rich sources of evidences for the examiner. Web browsers such as Mozilla Firefox store and provide information on Web browsing. UNIX system generally stores e-mails under the home directory of each user, making them easier to access for the examiner.  As UNIX systems are configure to store, log and print user data on remote systems, network traces are easily found and are valuable information leading to further digital evidences.  

Tools like The Coroner’s Toolkit (TCT) are mainly designed to help in forensic examinations are executed in most UNUX/Linux Operating Systems. The Coroner’s Toolkit has a collection of applications and is one the most frequently used toolkit by forensic examiners (Wiles & Reyes, 2007). Moreover, tools like Sleuth Kit and SMART provide a GUI (graphical user interface) simplifying the examination process in UNIX.

Challenges in UNIX Forensics


One of main challenges for the digital investigator is dealing with password protection and encryption. Attempt to break encryptions within UNUX systems is rarely effective, especially for strong encryptions. Attempts require significant time and effort as well as taking advantages of weaknesses in the implementation of the encryption program. To crack passwords, we need tools like Crack and jack the Ripper can be used to attempt guessing password entries in UNIX. Proper collection and examination of digital evidences needs familiarity of any computer system. The complexity and existence of a large number of UNIX systems calls for special trainings and education of the examiners in the UNIX administration (all aspect of the UNIX system) and security features. Being prevalent in the internet, UNIX systems are vulnerable to network-borne attacks, especially to Advanced Pertinent Threats (APTs), a cybercrime focusing more on espionage (University of Maryland University College, 2012). The continuous emergence of new malwares and the lack of robust detection and prevention systems in UNIX environment call for the need of malware analyses as part of digital forensic examination.

Digital Evidences in Mobile Devices OS


Mobile devices such as cell phones and smart phones have become an integral part of peoples’ daily lives. And their popularity is increasing the digital world. These devices are also being used in facilitating crimes or otherwise being involved whenever crime occur. As a result, they are becoming sources of digital evidences. Valuable Personal information like as pictures, e-mails, addresses and other useful data such as specific time where individual were and with whom they contacting can be collected from those devices.

There are various types of mobiles and smartphones made by several manufactures. And each kind of smartphone and mobile device has a different operating system. The standard operating systems for portable devices include iPhone’s iOS, Palm OS and Palm webOS, Nokia’s Symbian, Window’s propriety OS developed by Microsoft and Android’s open source OS developed by Google. While few devices (iphone and Blackberry) centralize distribution of software, most other portable devices allow and encourage independent applications on their platform. From the forensic examiners view point these all complicates the tasks of forensic analyses. And he need and efforts for developing tools and techniques of forensic examination have been growing. 

Forensic Analysis Tools for Mobile Devices


Despite the growing challenge, there are a growing number of commercial forensic tools that provide evidence acquisition and analysis capabilities for these devices. These include UFUD, MicroSystemation XRY, LogicubeCellDEK and MOBILedit! Forensic Software (University of Maryland University College, 2012). Cellebrite's Universal Forensic Extraction Device (UFED) is used to extract evidences physically from the devices using cables and USB memory sticks. MicroSystemation XRY acquires forensic information logically via infrared technology, Bluetooth and USB. LogicubeCellDEK allows only logical data acquisition but with capability of identifying the type of devices based on brand name, model number, dimensions. The forensic software MOBILedit! Uses cables to extract physical forensic data from the device and it generate forensic report.

 Challenges in Mobile Devices Forensics


The speedy way in which these mobile devices come, go, and grow presents unique challenges for the forensic examiner. By the time forensic collection and analysis procedures become available for many of these devices, the devices may have been out of date or evolved into a completely different architecture (Brown, 2010). Mobile devices unique characteristics such as overall design, their size and specific components pose challenges to investigators during every phase of the computer forensics process. More important, the existence of various operating systems poses challenges to forensic tools and examiners in extracting digital evidences. Mobile devices systems are a challenging source of evidence because the data on them is volatile and different tools are needed to process different devices. Finally, limited current forensic tools and training in the area are of mobile forensics need more attention.

Prioritization of Digital Evidences terms of usefulness


Network Intrusion


A network intrusion can be any use of a network that compromises its stability or the security of information which is stored in a computer connected to the network. It maybe any attempt to gaining unauthorized access to file or privileges. It maybe any effort to destabilize the system as a whole or unauthorized use of software. While intrusion detection help detect attacks, network forensic involves “discovering and retrieving evidential information in a networked environment about a crime in such a way as to make it admissible to court” (Vacca, 2009). Network forensic uses log files to determine when users logged on, which URL user accessed and how they logged into the network. It also tries to determine what tracks or new file are left behind. Network forensics requires not only making a forensic image of a compromised drive, but also an image containing for applications used (Nelson et al, 2010). Live acquisitions are especially useful in when dealing with network intrusions. I believe Mac computer systems used by suspects are most useful in network forensic evidence, next being Unix OS followed by Mobile devices OS and Windows OS.

Sources of digital evidences
Network Intrusion
Malware Installation
Insider file deletion
Windows OS
3rd
2nd
1st
Macintosh OS
 
1st
3rd
2nd
UNIX OS
2nd
1st
3rd
Mobile Devices OS
 
3rd
4th
4th

Table: Prioritization of Digital Evidences in Terms of Usage

Malware Installation


The absence of robust malware detection systems in Linux/UNIX system make it vulnerable for new and more sophisticated malware.  UNIX systems are also susceptible to network-borne attacks like APTs. That makes UNIX OS the most useful digital evidence source in terms of malware installation. Windows systems are also the most widely used systems and often attacked. Windows OS is the next useful source of digital evidence followed by MacOS and Mobile OS.

Insider file deletion


Computer forensic deals with the task of recovering data that users have deleted or hidden so that the recovered data may be used as evidence. The investigator searches the storage media and if they find data, he put the pieces together to produce evidences. In data recovery, Windows OS with its capability of data registry, log file and date-stamp is the most useful. UNIX OS is very useful followed by UNIX OS and Mobile Devices OS.

 

 

 

Conclusions

Digital investigator will encounter different computer operating systems as sources of digital evidences. An in depth understanding of computer Operating system (OS) helps a digital forensic investigator understand the basic function of the device and dig more into the data to be examined. The paper discussed four different Operating Systems as potential source of digital evidences – Windows, Mac, Unix OS and Mobile device’s OS. While Windows OS dominated the computer market and the forensic environment, the user friendly nature of MacOS increasing its uses and getting attention of investigators. UNIX OS is not only becoming an important sources of digital evidence, but also an excellent platform of forensic examination. Inbuilt features like file system, logs and file system-traces help the investigator recover hidden or deleted data. Despite continuous challenges, several forensic tools and technique are being used in the acquisition and examination of digital evidences. The existence of enormous type of OS, uniqueness in design, and volatile nature of their data makes mobile devices the most challenging sources of digital evidences.

 


 

References:


 

Atheide, C. & Casey, E. (2009). UNIX forensic analysis. In E. Casey (Ed.), Handbook of digital forensics and investigation (pp. 301-351). Burlington, MA: Elsevier Academic Press.

Brown, C. L. (2010). Computer evidence: collection and preservation, second edition.  Retrieved from  http://common.books24x7.com.ezproxy.umuc.edu/toc.aspx?bookid=33937

Casey, E. & Turnbull, B. (2011). Digital Evidence on Mobile Devices. In Digital evidence and computer

                crime: Forensic science, computers, and the Internet (3rd ed.)retrieved from


Kokocinski, A. (2009). Macintosh forensic analysis. In E. Casey (Ed.), Handbook of digital forensics and investigation (pp. 353-382). Burlington, MA: Elsevier Academic Press.
Mee, V., Tryfonas, T., & Sutherland, I. (2006). The Windows Registry as a forensic artifact:

                Illustrating evidence collection for Internet usage. Digital Investigation, 3(3), 166-173. Retrieved from www.elsevier.com/locate/diin.

Pittman, R. D. & Shaver, D. (2009). Windows forensic analysis. In E. Casey (Ed.), Handbook of digital

                forensics and investigation (pp. 209-300). Burlington, MA: Elsevier Academic Press.

Steel, C. (2006). Windows forensics: the field guide for corporate computer investigations. Retrieved


University of Maryland University College. (2012). Forensic analyses of Operating Systems, Module 6.    Retrieved from http://tychousa11.umuc.edu/CSEC650/1202/9040/class.nsf/Menu?OpenFrameSet&Login

Vacca (ed), J. R. (2009). Computer and information security handbook. Retrieved from


Wiles, J. & Reyes, A. (2007). The best damn cybercrime and digital forensics book period. Retrieved from http://common.books24x7.com.ezproxy.umuc.edu/toc.aspx?bookid=25452.

Thursday, October 17, 2013

Vulnerability and Risk Management in Mobile Devices

Uses of mobile devices are expanding in an increasing rate in both the private and public workforces. They are offering organizations the ability to keep their employees well connected at all times whether they are at home, in the office or travelling. However, mobile devices present a special security risk due to their mobility and small size. Objective of the paper is to assess vulnerabilities as well as policies, standards and procedures for effective risk management of mobile devices. The first section discusses about the benefits of mobile devices. The second section deals with the vulnerabilities associated with mobile computing and mobile devices. The third section introduces briefly policies, standards and procedures for mobile device risks. Finally concluding remarks are forwarded. 
Benefits of Mobile Devices
Mobile computing is a computing that allows continuous access to remote resources. It requires the use of mobile computing devices such as laptops, PDAs, Pocket PCs, smartphones. Those smart smartphones include the Apple iPhone, Google Android, Research in Motion (RIM) Blackberry and Windows Mobile-based devices (Microsoft Press, 2005). Because of their movability and smallness in size, those devices pose much higher risk of physical compromise and malware threats. In addition, most of the mobile devices are built with a single user in mind and they lack the necessary security and manageability features for enterprise IT systems and network infrastructure.
Despite the risks associated, mobile devices have become indispensable tool in today’s networked environment. For many organizations using wireless communication and mobile devices have become more convenient, flexible and easy to use.  It helps to keep their employees in touch at all times. Those devices aid people to conduct business anytime and anywhere - at home, in the office or travelling. As a result, usage of mobile devices has reached into unprecedented level. With its rapid growth, mobile cellular subscription is estimated to reach 4.6 billion globally at the end 2009 (US-CERT, 2010).
Observing an increase in employee’s productivity as a result of increase in mobile devices uses, many organizations (private as well as public) have chosen to purchase, manage and support its use by employees (ISACA, 2010). Some companies allow employee-owned mobile devices to be used for business purposes. It may seem cost effective but difficult manage and control leading to higher risks involved (NIST, 2008). Moreover, providing security solutions will be more difficult when mobile devices are regulated.
Benefits mobile devices experienced by enterprises include increased employee productivity (connectivity to knowledge workers and completion of work offsite), improved customer services ( timely responses to customer problems and increased efficacy of business process), employee security and safety (device allow employee connected and in touch while travelling to and from remote area), and employee retention (creating positive environment as management support the use of mobile devices within the enterprise). In addition, users of mobile devices can synchronize data between desktops and mobile devices, helping them use wireless services such as wireless email, internet access or web browsing, thereby reducing the costs of wiring to the enterprise (Radack, 2003). However, the increased use of mobile devices and their inherent vulnerabilities make them susceptible to malicious activities as well as non-malicious internal threats. 
Vulnerabilities, Risks and Security Concerns
While mobile devices provide convenience and productivity, they also pose significant threat to the enterprise security. Some of the vulnerabilities which are inherent to mobile devices include mobility and data loss, wireless network use and exposure to untrusted wireless network, difficulty in security updates and patches, mobile malware and Bluetooth technology, social engineering and social network abuses (ISACA, 2010; Microsoft Press, 2005).  In addition to those threats, mobile devices are also facing the entire threats desktop computers do.
Mobility
Because of their mobility mobile devices have a much greater chance of being stolen. Most employees work on their laptops at home or take their laptop or cellular on business or personal trips. Stolen mobile devices may be sold to an attacker who can potentially retrieve all the information from the devices. That information may include passwords for network accounts, personal information or sensitive company data. The information can be used to attack the organization's network or steal identity causing greater negative impacts to the organization.
Some enterprises may face a greater threat than others if the devices are fallen in the wrong hand. For example, hardware and software companies might be the target of attackers in the hope of stealing the companies' latest discoveries. Retailer enterprises might be victims of stolen credit card information of customers. And law enforcement and government agencies might be targeted by attackers to gain access to sensitive information contained on their networks. Many cellular and smart phones have internet access that they might have confidential information such as passwords and e-mail messages. Attacker could retrieve that information to attack later the user’s organization networks. Data in those devices mostly are not backed up. To make it worse the information in those devices are not encrypted.  Lost data means lost productivity as employees are not able to do their job without backed up data.  
These mobile devices also have accessories with capability to store files, which an attacker could retrieve from the stolen devices. Such accessories include floppy disks and CDs, USB, Compact flashes, Secure Digital (SD), smart cards and Subscriber Identity Module (SIM) cards. If they fall into the wrong hands, smart cards and SIM cards, in particular, can contain data such as private keys and personal information that could be used to attack the network of the device user's organization.
Wireless Connection and Exposure to Untrusted Networks:
Enterprise desktops or PCs are connected to local area networks with managed security settings and they are protected from intruders and untrusted networks by firewall and IPS tools. Mobile devices use wireless network to connect the internet which is less secure than the wired one. Malicious outsiders may intercept information leading to breaches of sensitive data, negative enterpriser reputation or legal consequences. Furthermore, laptops and other mobile devices when they leave their enterprise boundaries, at home or in hotel, may connect to the internet without protection. This may expose the device to attackers scanning for vulnerable devices connected to the internet exposing the enterprise network to malwares and causing data leakage or data corruption (ISACA, 2010).
Difficulty of Applying Security Updates:
While PC have static place in the network structure, mobile devices travel from network to networks. They often leave their local area network. As a result, they have become the most difficult to manage and secure centrally. Applying security updates, including patches, service packs, and virus definition files become very difficult. Traditional method of security application requires the static physical position of computers as well as logical one on the LAN (Microsoft Press, 2005). Even with the latest technology of automatic updates it will be difficult to assess the current security situation of remote mobile devices.  With the absence of a clear patch management solution in mobile devices and their persistent connection to the internet, the security threat to the devices, the information stored on the devices and the network of their organization has become very serious.
Mobile Malwares and Bluetooth
Various malicious malwares are being created and used targeting mobile devices. The most wicked and recent example of mobile malware is called Ikee.B, an iPhone worm created with financial motivation. The worm searches and sends financially sensitive data stored in the iPhone to the attacker (US-CERT, 2010). The worm coordinates infected phones using botnet command and control server. The infected iPhones may be exposed either because the have applications installed which allow remote access or they are ‘jail broken’, configured to allow install unofficial applications. A spy software called Flexspy, a commercial software, with the capacity of listening conversations on the phone and viewing e-mails and texts and trafficking user’s movement, without the user’s knowledge, has a serious repercussion of possible usage by attackers (US-CERT, 2010). 
Bluetooth and possible synchronization between mobile devices and desktops are also potential attack routes facilitating the platform for attackers. The Cardtrp worm infects the devices through Bluetooth and Multimedia Messaging Services (MSM) (Whipp, 2005). It infects mobile devices running the Symbian 60 operating system like most Nokia phones, overwriting system files, causing malfunction. This worm can also infect desktop computers. The other most prevalent but less severe mobile malware is called Cabir, which is also a Bluetooth worm. It spreads on Bluetooth-enabled mobile devices which are in discoverable mode. The worm causes the devices to continuously make a blue tooth connection attempt, draining its batteries.
Social Engineering
Social Engineering is one of the known spreading malware through the internet. Users are deceived in to believing that malicious activities are legitimate. Exploiting using social engineering is widely spread from desktop into mobile market as it has become extremely lucrative. One method of social engineering with significant cyber threat in mobile devices is phishing (a criminal act of attempt to manipulate a victim into exposing sensitive information by camouflaging as an honest entity using e-mail scams). Two variants of phishing are used via mobile devices, namely Vishing and Smishing (US-CERT, 2010). While the former leverages over voice communication, calling the victim as if from financial institution and asking to verify personal information, the later exploits SMS, or text messages sending a text with a link, stating a ‘legitimate-like’ statement. Once the link is clicked a Trojan horse virus is downloaded to access the device.
Exploitation of Social Networking
Social media and networking sites, such as Facebook and Facebook, have become pillars of information sharing and communication electronically. As business and consumer continue to use those websites, targeted abuse of personal identity and data has increased substantially. Cyber threats prediction for the year 2011 by the leading anti-virus provider, McAfee, mentioned the social media as the major area of exploitation (McAfee, 2011). Significant increases in the type of threats targeting iPhones applications and other mobile devices are the other cyber prediction areas. User transition from the slower e-mail communication into speedy methods such as instant messaging, Twitter and Facebook triggered this major shift in threat.
Two major areas are focused in the social media abuses, i.e. short URLs abuses and locative service abuses. As users communicate and share their interests, Uniform Resource Locators (URL) is continuously exchanged between users. The capability to shorten the traditional long character URL by various websites is facilitating communications. Especially for the character constrained Twitter, the shortened URLs are becoming invaluable. However, those shortened URLs are abused by criminals because users do not know where those shortened links might lead until they clicked them (US-CERT, 2010). Most social media users are adding GPS (global positioning system) information into their media updates to let their friends see where they are. Locative services such as Gowalla, Facebook Places can easily help you search, find and track your friends or strangers (McAfee, 2011). Based on the information from such services and other tweeting information users can easily be targets of cyber criminals and scammers. To sum, exploits in social media together with increased uses of mobile devices intensified targeting and malware sophistication. The next section discusses how to manage the risks associated with mobile devices.
Policies, Standards and Procedures for Mobile Device Risks
There is an increasing tendency of enterprises using mobile devices in their working environment. Enterprises may use either   However, before implementing their usage they should perform risk assessment and calculate the benefit offered by the technology and the risks involved with applications. Once the benefits and the risks are clearly understood, the enterprises have to make sure the appropriate policies, standards and procedures involving mobile devices are implemented (NIST, 2008).
Mobile devices security policies should be established clearly defining the rules, standards and practices. The policy should reflect the overall security and safeguard views of the company. Restrictions on personal communications such as social media and networking should be clearly stated. Like overall security policy, mobile security policy depends on its quality, implementation and enforcement.
Operational plan regarding data protection, users’ authentication, access to enterprise networks and resources, and handling lost or stolen devices should be established. When preparing the plan issue to consider include issuance of a new device, backup and recovery, content erasing before disposing or reissuing, business applications to be used, and other security issues. Moreover, existing disaster recovery, contingency or business continuity plans should extend to encompass mobile devices.   
Ongoing risk analysis and management is very important. Like the overall security, mobile devices security involves continuous analysis and management of risks. The analysis help identify vulnerabilities and threats, computes the potential attacks, assesse the likelihood of occurrence. It also estimates the possible damages from successful attacks. The risk management involves in taking the necessary steps to minimize the risks assessed to an acceptable level.
Security involves continually analyzing and managing risks. As seen in earlier sections, mobile devices have their share of risks and must also contend with a dynamically changing environment. A risk analysis identifies vulnerabilities and threats, computes potential attacks, assesses their likelihood of success, and estimates the potential damage from successful attacks. Risk management involves taking steps to reduce assessed risk to an acceptable level and maintain that level of risk. Ongoing risk analysis and management is an important organizational activity that is increasingly being mandated by law and regulation.
A mere existence of mobile device security policy is not a guarantee for its implementation. User awareness is a precondition for its successful implementation. Employees should be aware of the policies and the repercussions in violating them. There should be a continuous awareness programs and trainings especially for new employees.
Mobile devices configuration control and management is required in order to protect against improper modifications. We have to make sure patches and upgrades are available, unnecessary applications are disabled, Bluetooth are turned off until they are needed, user authentications and access controls are available, and malware prevention and detection software (antivirus, anti-spam and firewalls) are installed.
Conclusions
Using mobile computing devices such as laptops, PDAs, Pocket PCs, smartphones has become indispensable for enterprises as they seek efficiency and productivity in their business operation. However, there are risks involved in the use of those technologies. Some of the vulnerabilities include mobility, exposure to unsecured networks, mobile malware, identity theft and loss of data using social engineering and social network abuses. Enterprises should undertake proper risk analyses identifying the vulnerabilities and threats associated with mobile devices before implementing the technology. A clearly stated mobile devices security policy is indispensible.  Moreover, proper IDS and IPS software, deployment and operational plan, configuration control and management, and security awareness trainings for mobile devices are crucial for their successful implementation.
References:
ISACA, 2010. Securing Mobile Devices. Retrieved from  http://www.isaca.org/Knowledge-
Center/Research/ResearchDeliverables/Pages/Securing-Mobile-Devices.aspx
McAfee, (2011). 2011 Threats Predictions. Retrieved from 
Microsoft Press, 2005. Implementing Security for Mobile Computers. (Ed) Microsoft Windows
                Security Resource Kit, Second Edition. Retrieved from http://search.microsoft.com.
NASCIO, 2009. Security at the Edge – Protecting Mobile Computing Devices. Retrieved from
                http://www.nascio.org/publications/documents/NASCIO-SecurityAtTheEdge.pdf
NIST, (2008). Guidelines on Cell Phone and PDA Security. Retrieved from
Radack, S., 2003. Security for Wireless Network and Services. Retrieved from
 http://www.itl.nist.gov/lab/bulletns/bltnmar03.htm
US-CERT, 2010. Cyber Threats to Mobile Devices. Technical Information Paper 10-105-01. Retrieved
from http://www.us-cert.gov/reading_room/TIP10-105-01.pdf.
Whipp, M., (2005). Cardtrp Virus can spread to PCs. Retrieved from

Saturday, October 12, 2013

Operating Systems Security: Threats and Protection Mechanisms


 

An operating system can be defined as “a set of program modules which provides a friendly interface between the user and the computer resources such as processors, memory, Input / Output devices and information” (Madana, 2009). Protecting the operating system is essential in order to control access to computer systems and information stored in them. This paper explores security needs, vulnerabilities and protecting mechanisms in operating systems. The first section deals with an operating System and the need for its security. The second section discusses OS threats and vulnerabilities. The third section covers user-side protection mechanisms and trusted and secured operating systems. Finally, a concluding comparison of the protection mechanisms is provided.
Operating System and the Need for its Security
An operating System is an intermediary between the user of a computer and the computer hardware. It manages the ways applications access the resources in a computer. Major resources include disk drives, CPU, input devices, output devices, main memory, and network interfaces. Without the operating system interaction of users and applications with the hardware are impractical. Operating system assists application programs to be run by users in a very simple and consistent way (Goodrich and Tamassia, 2011). It also allows multiple users with different level of access to the same computer resources.  Operating systems permits not only a single application but multiple applications to run at the same time (multipletasking). The kernel, being the core component of the operating system, handles the management of low-level hardware resources, which include CPU, memory and input/output devices.
The complex tasks of operating system, such as multipletasking as well as the allowance of multiple users to computer resources, calls for security needs.  Computational resources should be protected from malicious or accidental application damages caused by external threats as well as vulnerabilities in the operating systems. Each running application must also be protected from being interfered by other malicious applications. At the same time, since each potential user has unique needs and rights with respect to computer resources, the operating system has to make sure those needs and right are well respected.  
The need for protection arises not just from sharing of the processor among users, but also from the sharing of memory, I/O devices (disks and printers), program applications, and data (Stalling, 2011). The operating system is required to balance the need to allow sharing and with the need to protect the resources of individual users. While sharing boosts the utility of the computer system, protection and security deal with the regulations of user access, information flow and certification. The following sections discuss major threats and vulnerabilities of operating system and major mechanisms of providing operating system (OS) security (traditional and trusted).  
Operating System Security: Threats and Vulnerabilities
The increasing trend in the use of resource sharing systems and computer networks has increased threats to information and information system. Among the general threats to be addressed in the area of security are organized and intentional attempt to obtain economic or market information from competitive private sector or government, unintentional or accidental acquisition of market, economic or individual information, fraud through illegitimate access to data banks, as well as invasion and intrusion on individual rights by the government and intelligence community (Branted, 1978).
Most attacks are often after information or data, which is found in a computer with operating system. Thus, it’s the operating system which is going to be exploited in order to obtain the information from an organization. In order to have a clear understanding of threats in operating system security, requirements for its security should be well stated. Those requirements include confidentiality, integrity, availability and authenticity. While confidentiality requires system information only to be read- accessible to authorized entities, integrity necessitates the computer system assets to be modified only by authorized parties. Availability seeks system assets to be available to authorized users and authenticity requires a computer system to verify user’s identity (Stallings, 2011).
While security concerns of computer system assets encompass hardware, software and data, the major problem is data security. Data availability, confidentiality and integrity are the major security. Accidental or malicious destruction of data file, unauthorized reading of data files or database, and modification of data files are the major concerns behind the operating system security. Operating system security include monitoring and protecting the process that is running the computer, protecting its memory and file system, and protection of application programs operating at the application layer. Some of the major attacks are discussed below.
A typical example of attack on the process running the computer is the hibernation attack, which happens when a machine goes into a power-off state (hibernation). When a user closes a laptop computer and puts it into hibernation, an attacker can easily copies the hibefil.sys file and discovers any unencrypted password that was stored in memory during hibernation (Goodrich and Tamassia, 2011). An attack on virtual memory, a tool which allows multiple processes in the memory by creating swap files, is another security concern. An attacker can boot the machine to another operating system via external media and can view the swap file and expose sensitive information. A dictionary attack can be used to guess encrypted passwords kept in the operating system. An attack on an application programs, known as a buffer overflow, allows an attacker to obtain control of the entire process on the machine. A Trojan horse attack is a typical example of malicious program which calls for a secured operating system.  It’s a malware program which appears to perform some useful tasks, but which also has a malicious effect (Stallings, 2011).
Most of the attacks arise from the inherent weaknesses or vulnerabilities of the operating systems. Security comparison of the two major operating systems, Windows and Linux, indicate that there are some security issues worth discussing in relation to their authentication, authorization, and auditing capabilities. Password protection is currently the primary source of authentication in both. However, the Linux password encryption scheme is more effective than Windows, as Linux uses a password salt, a random value generated and added to the user's password before encryption. Therefore, brute force attack is more difficult in Linux (Nemati, 2008). Malicious software running in user-space is the most common cause of security exploits in both. Particularly, the buffer overflow attack has been used extensively on Windows platforms. The security design principle, complete mediation is thorough and complete in both operating systems. However, compliance with the principle of least privilege is a big concern with both operating systems. Logging which is the foundation of good auditing. Both Linux and Windows have good logging capabilities. However, network based logging capabilities are not currently part of the basic Windows and Linus operating system, despite the increasing attack via the network interface. The next section deals with some of the mechanisms by which operating systems are protected from attacks and how trusted systems are used.
Mitigation or Protection Mechanisms
In order to design security measure for the various threats to computer system and operating systems in particular, a number of design principles are identified. These include least privilege, economy of mechanism, acceptability, complete mediation and open design (Saltzer & Schroeder, 1975). The Least Privilege principle states that each program and user of an IT system should operate with minimum set of privileges necessary to function properly. In the Economy of mechanism, simplicity of design and implementation of security measures are sought. While Acceptability stresses easy to use interface, Complete mediation principle emphasizes on the idea that every access to the resource must be checked against access control mechanism. Open design principle focus on keeping the security design and architecture to be made public. The first part of this section addresses operating system protection mechanisms on the user side. The second part concentrates on trusted operating systems designs and their implementation.

User-side Protection Mechanisms

Protection of Memory

 

For the sake of correct functioning of various processes as well as security, protecting the main memory will be essential. This is especially true in a multiprogramming environment (Stalling, 2011).  A virtual memory scheme helps the separation of memory. Using segmentation or paging, or the two in combination, main memory is managed effectively, and implementation of protection and sharing policies made easy. Virtual memory allows more space or larger than the RAM memory for multiple processes to run effectively. At the same time, viewing the contents of virtual memory files is prevented while the operating system is running. In addition, the risk of exposing file content can be mitigated using with hard disk encryption (Goodrich and Tamassia, 2011).

User-Oriented Access Control

 
Measure taken to control access in data processing is achieved in either user-oriented or data-oriented means.  User-Oriented Access Control is sometimes called authentication. The most common technique used here is the user logon.  User logon requires the knowledge of both user ID and password. A shared system or server allows a user only if the system knows the user identifier, ID, and the user knows the password linked to that ID. This system is infamously undependable. Passwords can be forgotten or accidentally revealed. Hacker can skillfully guess the ID and brute force the password.
We may have either a centralized or decentralized user access control. In centralized environment, who is allowed to use the network and what to be connected is determined by the network. In decentralized approach, the destination host carries out the logon procedure. However, to protect host-specific resources, two levels of access control are used in many networks. In the two-level way, while the network provides protection by restricting access to authorized users, individual hosts provide the logon procedure.

Data-Oriented Access Control

 
Once logon is successful, granting the user to one or a list of hosts or applications is not satisfactory for system protection where we have of plenty of sensitive data and applications. In data-oriented access control, following a successful logon, and after operating system grants permission to a user to access a file or an application, a dbase management system makes a decision on each individual access attempt.  The grant decision is dependent not only on the user identity, but on the specific portion of data to be accessed. A general model, an access matrix, is used to control access by files or data base management system. In the model we have three basic elements: subject, object and access rights. A subject is an entry capable of accessing an object. An object is anything to which access is controlled. And access entry is the way in which an object is accessed by a subject, often read, write and execute. In access matrix table each row represents a subject, each column represents an object and each entry in the matrix indicates the access rights of a specific subject for specific object (Pfleeger and Pfleeger, 2009).

Operating System Mode (OS Rings)

 
One protection technique used in all operating systems is based on the ‘mode’ of processor execution. We have two distinct operating system modes, the kernel mode and the user mode.  In most operating systems, applications are separated from the operating system itself. The kernel mode or system mode runs in a privileged processor mode, with access to the system data and hardware. The user mode or application code runs in a non-privileged, limited access to system data and no direct access to hardware (Russinovich et al, 2009). When a user makes a call for a system service, the mode is set to the kernel mode. When the system service completes, the operating system switches back to user mode and allows the user to continue.
In the kernel mode, the operating system has a complete control of the processor and all its instruction, registers and memory (Stallings, 2011). The operating system can be explained in terms of rings to clearly demonstrates how the protection works. Ring 0 is a system memory where kernel and operating system resides and Ring 2 where user application exists (and Ring 1 belongs to device drivers). If Ring 0 is compromised by an attacker, all access to system resources can be controlled by their malicious software (University of Maryland University College, 2011). For these reasons, full level of control is not required and should not be allowed for user programs. So far, operating system protection from the user’s point of view has been discussed. The next section discusses trusted operating systems designs, their functions and limitations.

Trusted Systems Protection
An operating system is considered to be trusted if there is confidence that it provides the four services (memory protection, file protection, general object access control and user authentication) consistently and effectively (Pfleeger and Pfleeger, 2009). Trusted system protection coverage extends from initial boot process and kernel, application and file system protection, full disk encrypting to a combination of software and hardware trust solutions. This section discusses three major modules: Multiple Independent Levels of Security (MILS), Trusted Platform Module (TPM) and Trusted Computing Base (TCB).

Multiple Independent Levels of Security (MILS)

What makes the MILS distinct is that it’s an operating system which is built from the very beginning with security in mind.  MLIS is considered to be high assurance architecture for handling information of different classification level. It’s designed to protect against malicious software, internal errors, and system failures. There are partitions which run in a separate environment, hampering interactions between system cases. This is accomplished using the following key security policies, namely, information flow, data isolation, periods processing and damage limitation (www.ois.com/products, 2011). Policy implementation is the responsibility of the middleware layer.
The flow of Information is limited between partitions. And if it’s required it can be processed only after explicit request is made through the middleware layer. Data isolation makes sure that private data remain private. MLIS’s period processing ensures the microprocessor of a system is cleaned (using encryption) before switching from one application to another. Data limitation mitigates a failure in one partition, as breakdown in one partition will not cascade into another one.
In general, the MLIS‘s architecture benefits include reduction in hardware component, flexibility in  information control and management, relatively cheaper of highly secured systems development, and less need for redesigning systems to meet security standards (University of Maryland University College, 2011). The concept of separation is the biggest advantage of MILS.

Trusted Platform Module (TPM)

The Trusted Computing Group (TCG), a non-profit group, has been working to improve trust and security in today's open computing platforms.  The group defined trust as "the expectation that a device will behave in a particular manner for a specific purpose"(Krutz, & Fry, (2009). Believing that software alone is not strong enough to protect information system; they utilized both hardware and software to develop the Trusted Platform Module (TPM). TPM is a hardware-based trusted protection mechanism designed to protect the security and privacy in a computer system.
TPMs are usually installed on PC motherboards and are designed to protect cryptographic keys and authentication processes and provide certification. The TPM is an element that can securely generate, store, and manage cryptographic keys which can be used as a private key to eventually decrypt the data. Encrypted data cannot be decrypted unless the key is provided by the secure TPM following appropriate authentication. A secret and unique RSA key is built into the TPM chip during its production. The key can be used to verify the authenticity of other systems with TPM chips.
Authentication boot service is done by validation of codes through the use of digital signatures and hash values during the booting stages (reading ROM, referring to the master boot block, locating the operating system). In every stage, the Trusted Platform Module checks integrity. And whenever an application is loaded or hardware needs to be configured, approved listing is used to check the system. And it makes sure, if applicable, digital signature is done before configuring or loading is performed. Thanks to its inbuilt prevention mechanism, TPM is not susceptible to ‘dictionary-based’ attacks.  However, a ‘cold boot attack’ showed that encryption keys remaining in memory can be recoverable (University of Maryland University College, 2011).

Trusted Computing Base (TCB)

TCB is a name given to all of the systems in the network in the trusted operating system necessary to enforce the security policy. It consists of all the parts of the trusted system on which we depend to enforce the policy. The security of the whole system thus depends on TCB. And it is indispensible for the TCB to be thorough and correct to fulfill the security policy.  The TCB does not address only the operating system. It covers hardware, software and firmware. The protected hardware includes processor, memory, register, and I/O devices. The software and firmware protected include operated system (hardened kernel), configuration files, shell/windowing system and peripheral devices firmware (Pfleeger and Pfleeger, 2009; University of Maryland University College, 2011).  
The main functions of the TCB are process activation, memory protection, execution domain switching and I/O operation (Harris, S., 2010). A process is "activated" when its request is made, enabling it to interact with the CPU. A process is "deactivated" after execution by the CPU or when CPU is called by other priority. Memory protection is done using TCB monitoring of each domains code and data to ensure secrecy and integrity. Execution domain switching refers to when the CPU go from execution of instruction in user mode (less trusted) to privileged mode or back. The TCB makes sure this happen properly or less trusted process will be executed in privileged mode and system resources will be compromised.

 Conclusions
From the user’s perspective, for an operating system to be “secure” the operating system should provide the following services: memory protection, file protection, general object access control and user authentication. And an effective and consistent provision of such services make an operating system “trusted”.  The MILS architecture having inherent partition protection means less hardware requirement, saving space and power. It is also cheaper and faster for development, with easier management and control. MILS makes it easier for commercial of the shelf (COTS) components to be integrated with less re-architecting. TPM is a hardware-based trusted protection. It makes sure that the system secured through three services, namely, certification, encryption and authenticated boot. Its inbuilt protection mechanism makes it invulnerable to dictionary-based attacks. TCB is the trusted operating system necessary to enforce the security policy which comprises hardware, software and firmware. Evaluating the security features of a ‘secure’ or ‘trusted’ operating system requires reviewing requirements, designs, implementation, as well as evidence of assurance for each trusted computer system.

 

References:

Anderson, R. (2008). Security engineering – A guide to building dependable distributed systems (2nd
                ed.). New York, NY: John Wiley & Sons Publishing, Inc. Chapter 18, “API Attacks”
Beuchelt, G. (2009). Chapter 5, Unix and Linux Security In Vacca, J. R. (Ed.), Computer and information security handbook. Boston, MA: Morgan Kaufmann Publishers.
Goodrich, M. and Tamassia,R. (2011). Introduction to Computer Security. Chapter 3, Operating Systems Security pp. 114-165.
Krutz, R. L. & Fry, A.J., (2009). The CSSLP prep guide: mastering the certified secure software
lifecycle professional. Retrieved from
http://common.books24x7.com.ezproxy.umuc.edu/toc.aspx?bookid=32022.
Harris, S., (2010). Cissp all-in-one exam guide, fifth edition. Retrieved from
http://common.books24x7.com.ezproxy.umuc.edu/toc.aspx?bookid=35956.
Madana K., (2009). Operating systems made easy. Retrieved from
                http://common.books24x7.com.ezproxy.umuc.edu/toc.aspx?bookid=34048.
Nemati, H., (2008). Information security and ethics: concepts, methodologies, tools, and applicationsRetrieved from http://common.books24x7.com.ezproxy.umuc.edu/toc.aspx?bookid=22649.
Pfleeger, C. and Pfleeger, S.L., (2007). Security in Computing, 4th ed., Prentice Hall, Englewood Cliffs, NJ.
Russinovich, M. E., Solomon, D. A. & Ionescu, A., (2009). Windows Internals, fifth edition.
Salzer, J. and Schroeder, M., (1975). The protection of Information in Computer System. Proceedings of the IEEE. 63, 9, 1278-1308.  
Santana, M. (2009). Chapter 6, Eliminating the Security weakness of Linux and Unix Operating Systems. In Vacca, J. R. (Ed.), Computer and information security handbook. Boston, MA: Morgan      Kaufmann Publishers.
Stallings, W., (2011). Operating System Security. In H. Bidgoli (Ed.), Handbook of information security, volume 2. Part 3: Foundations of Information, Computer and Network Security, New York, NY: John Wiley & Sons, Inc.